VPN between ASA and Draytek - with vpn-filter

Unanswered Question
Jan 7th, 2010

I have successfully established an IPSEC VPN between an ASA and a customers Draytek - the Draytek is using its Public IP for both the VPN Endpoint and for Nat'ing internal traffic over the VPN.  If I apply a vpn-filter statement to the ASA configuration (using group-policies) - the VPN still establishes to Phase2 - but no packets are decrypted/decapsulated from the customer.

I wondering if its because the customer is using his Public IP for both the VPN endpoint and for nat'ing...any thoughts...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
yamramos.tueme Thu, 01/07/2010 - 15:41

Have you checked if you are encrytping packets on your end?  It could be that your end is not sending traffic.

gammatel1 Fri, 01/08/2010 - 08:28

There are no packets being encaps or encrypted - but the customer initiates the VPN connection and data stream and I dont see any packets being decapsulated or decrypted.  The vpn-filter ACL is applied to traffic once it is decapsulated and decrypted - but since there are not packets being received (out of the VPN) the vpn-filter ACL is not seeing any hits.  Removing the vpn-filter ACL and group-policy means that the packets flow correctly over the VPN ie: packets are decaps/encaps and decrypt/encrypt correctly.

I have a load more VPNs using vpn-filters that work perfectly - but this VPN is the only one where the customer uses the same IP for both the VPN tunnel endpoint and for NATing his traffic over the VPN.

Actions

This Discussion